行動裝置的普及與Android作業系統的開放性，使得層出不窮的惡意軟體嚴重影響使用者資訊安全，面對變化多端的攻擊手法與躲避偵測方法，如何更準確的偵測出惡意軟體並加以防護已成為重要議題。雖然目前已有研究提出透過分析應用程式實際執行過程，能有效避免程式碼混淆等躲避偵測問題。但是面對此方法所提取的序列型特徵，如何更詳細地得知特徵之間的關聯性，藉以提升分類模型的分辨準確率，為許多研究所努力的方向。基於應用程式執行過程所呼叫的系統呼叫序列(System Call Sequence)，具有可以真實呈現應用程式實際執行為的特性。本研究提取系統呼叫序列作為特徵，並透過長短期記憶(Long Short-Term Memory, LSTM)深度學習模型架構提取系統呼叫前後相互關聯。然而，為了避免隨著系統調用序列的長度增長，降低模型分類準確率，於分類模型中加入注意力機制(Attention)，透過計算LSTM神經元的短期記憶專注分數並加權平均於分類決策演算法中，達到增強分類不同惡意攻擊類型的判斷能力。經實驗結果證實，通過兩層的雙向LSTM架構並加入Attention機制的深度神經網路，在分類良性與惡意程式的分辨能力達93.5%，而在詳細分類良性程式與另外兩種惡意種類程式的分類結果則具有93.1%的準確率，展現優良的分類能力。

With the popularity of Android mobile devices, detecting and protecting malicious software has become an important issue. Although there have been studies proposed that dynamic analysis can overcome the shortcomings of avoidance detection problems such as code obfuscated. However, how to learn more detail of correlation between the sequence-type features extracted by dynamic analysis to improve the resolution accuracy of the classification model is the direction of many research efforts. This study extracts the system call sequence as a feature, and extracts the system call correlation through the Long Short-Term Memory (LSTM) deep learning model. In addition, in order to avoid the increase of the length of the system call sequence and reduce the accuracy of the model classification, the attention mechanism is added to the classification model. The experimental results show that through the two-layer of Bi- LSTM architecture and the deep neural network of the Attention mechanism, the resolution of benign and malicious programs is 93.5%, and the classification of benign programs and two other malicious types is detailed. The result is an accuracy of 93.1%, showing excellent classification ability.

[參考網站]
[1] anzhi. (2019). 安智市場. Available: http://dev.anzhi.com/
[2] Apple. (2019). App Store. Available: https://www.apple.com/tw/ios/app-store/
[3] DATA, G. (2018). Cyber attacks on Android devices on the rise. Available: https://www.gdatasoftware.com/blog/2018/11/31255-cyber-attacks-on-android-devices-on-the-rise
[4] Google. (2019). Google Play. Available: https://play.google.com/store?hl=zh-TW
[5] imdb. (2019). IMDB Dataset. Available: https://www.imdb.com/
[6] INRIA. (2019). scikit-learn Machine Learning in Python. Available: https://scikit-learn.org/stable/
[7] Lab, A. C. S. (2019). Android Malware Dataset. Available: http://amd.arguslab.org/
[8] Sheridan, K. Kaspersky Security Bulletin 2018. Story of the year: miners. Available: https://www.darkreading.com/threat-intelligence/backdoors-up-44--ransomware-up-43--from-2017/d/d-id/1333399
[9] StatCounter. (2019). Desktop vs Mobile vs Tablet Market Share Worldwide. Available: http://gs.statcounter.com/platform-market-share/desktop-mobile-tablet
[10] StatCounter. (2019). Mobile Operating System Market Share Worldwide. Available: http://gs.statcounter.com/os-market-share/mobile/worldwide/2019
[11] sureshmca. (2014). Android and Java Programming. Available: http://www.onsandroid.com/2014/10/in-depth-android-boot-sequence-process.html
[12] zhushou360. (2019). 360手机助手. Available: https://zhushou.360.cn/

[中文文獻]
[13] 胡哲君, "去可識別個人資訊後之 Android惡意程式動態分析研究," 碩士論文, 資訊管理學系, 國立中央大學, 2017.
[14] 熊永菁, "結合靜態權限及動態封包分析以提升Android惡意程式偵測效能之研究," 碩士論文, 資訊管理學系, 國立中央大學, 2018.
[英文文獻]
[15] Alshahrani, H., Mansourt, H., Thorn, S., Alshehri, A., Alzahrani, A., and Fu, H., "DDefender: Android application threat detection using static and dynamic analysis," in 2018 IEEE International Conference on Consumer Electronics (ICCE), 2018, pp. 1-6: IEEE.
[16] Bahdanau, D., Cho, K., and Bengio, Y., "Neural machine translation by jointly learning to align and translate," International Conference on Learning Representations, 2015.
[17] Bengio, Y., "Learning deep architectures for AI," Foundations and trends® in Machine Learning, vol. 2, no. 1, pp. 1-127, 2009.
[18] Chau, N.-T. and Jung, S., "Dynamic analysis with Android container: Challenges and opportunities," Digital Investigation, vol. 27, pp. 38-46, 2018.
[19] Chen, Y., Ghorbanzadeh, M., Ma, K., Clancy, C., and McGwier, R., "A hidden markov model detection of malicious android applications at runtime," in 2014 23rd Wireless and Optical Communication Conference (WOCC), 2014, pp. 1-6: IEEE.
[20] Dimjašević, M., Atzeni, S., Ugrina, I., and Rakamaric, Z., "Evaluation of android malware detection based on system calls," in Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics, 2016, pp. 1-8: ACM.
[21] Elman, J. L., "Finding structure in time," Cognitive science, vol. 14, no. 2, pp. 179-211, 1990.
[22] Ghaffari, F., Abadi, M., and Tajoddin, A., "AMD-EC: Anomaly-based Android malware detection using ensemble classifiers," in 2017 Iranian Conference on Electrical Engineering (ICEE), 2017, pp. 2247-2252: IEEE.
[23] Graves, A., Jaitly, N., and Mohamed, A.-r., "Hybrid speech recognition with deep bidirectional LSTM," in 2013 IEEE workshop on automatic speech recognition and understanding, 2013, pp. 273-278: IEEE.
[24] Hasegawa, C. and Iyatomi, H., "One-dimensional convolutional neural networks for Android malware detection," in 2018 IEEE 14th International Colloquium on Signal Processing & Its Applications (CSPA), 2018, pp. 99-102: IEEE.
[25] Hou, S., Saas, A., Chen, L., and Ye, Y., "Deep4maldroid: A deep learning framework for android malware detection based on linux kernel system call graphs," in 2016 IEEE/WIC/ACM International Conference on Web Intelligence Workshops (WIW), 2016, pp. 104-111: IEEE.
[26] Isohara, T., Takemori, K., and Kubota, A., "Kernel-based behavior analysis for android malware detection," in 2011 Seventh International Conference on Computational Intelligence and Security, 2011, pp. 1011-1015: IEEE.
[27] Kaushik, P. and Yadav, P. K., "A Novel approach for detecting malware in Android applications using Deep learning," in 2018 Eleventh International Conference on Contemporary Computing (IC3), 2018, pp. 1-4: IEEE.
[28] Kolosnjaji, B., Zarras, A., Webster, G., and Eckert, C., "Deep learning for classification of malware system call sequences," in Australasian Joint Conference on Artificial Intelligence, 2016, pp. 137-149: Springer.
[29] Krizhevsky, A., Sutskever, I., and Hinton, G. E., "Imagenet classification with deep convolutional neural networks," in Advances in neural information processing systems, 2012, pp. 1097-1105.
[30] Liang, H., Song, Y., and Xiao, D., "An end-To-end model for Android malware detection," in 2017 IEEE International Conference on Intelligence and Security Informatics (ISI), 2017, pp. 140-142: IEEE.
[31] Lin, Y.-D., Lai, Y.-C., Chen, C.-H., Tsai, H.-C. J. c., and security, "Identifying android malicious repackaged applications by thread-grained system call sequences," vol. 39, pp. 340-350, 2013.
[32] Malik, S. and Khatter, K., "System call analysis of android malware families," Indian Journal of Science and Technology, vol. 9, no. 21, 2016.
[33] Mariconti, E., Onwuzurike, L., Andriotis, P., De Cristofaro, E., Ross, G., and Stringhini, G. J. a. p. a., "Mamadroid: Detecting android malware by building markov chains of behavioral models," 2016.
[34] Martinelli, F., Marulli, F., and Mercaldo, F., "Evaluating convolutional neural network for effective mobile malware detection," Procedia computer science, vol. 112, pp. 2372-2381, 2017.
[35] Martín, A., Lara-Cabrera, R., Camacho, D. J. D. S., and Support, K. E. f. S. D., "A new tool for static and dynamic android malware analysis," pp. 509-516, 2018.
[36] Martín, A., Rodríguez-Fernández, V., and Camacho, D., "CANDYMAN: Classifying Android malware families by modelling dynamic traces with Markov chains," Engineering Applications of Artificial Intelligence, vol. 74, pp. 121-133, 2018.
[37] Naway, A. and LI, Y., "A Review on The Use of Deep Learning in Android Malware Detection," International Journal of Computer Science and Mobile Computing, , vol. 7 no. 12, pp. 42-58, 2018.
[38] Reina, A., Fattori, A., and Cavallaro, L., "A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors," EuroSec, April, 2013.
[39] Schuster, M. and Paliwal, K. K., "Bidirectional recurrent neural networks," IEEE Transactions on Signal Processing, vol. 45, no. 11, pp. 2673-2681, 1997.
[40] Silver, D. et al., "Mastering the game of go without human knowledge," Nature, vol. 550, no. 7676, p. 354, 2017.
[41] Sundermeyer, M., Schlüter, R., and Ney, H., "LSTM neural networks for language modeling," in Thirteenth annual conference of the international speech communication association, 2012.
[42] Thon, J., "Predictive Identification of Android Malware through Hybrid Analysis," Master's Thesis, Fakultät IV Elektrotechnik und Informatik, Technische Universität, 2018.
[43] Vinayakumar, R., Soman, K., Poornachandran, P., and Sachin Kumar, S., "Detecting Android malware using long short-term memory (LSTM)," Journal of Intelligent & Fuzzy Systems, vol. 34, no. 3, pp. 1277-1288, 2018.
[44] Xiao, X., Wang, Z., Li, Q., Xia, S., and Jiang, Y., "Back-propagation neural network on Markov chains from system call sequences: a new approach for detecting Android malware with system call sequences," IET Information Security, vol. 11, no. 1, pp. 8-15, 2016.
[45] Xiao, X., Zhang, S., Mercaldo, F., Hu, G., and Sangaiah, A. K., "Android malware detection based on system call sequences and LSTM," Multimedia Tools and Applications, vol. 78, no. 4, pp. 3979-3999, 2019.
[46] Zhou, P. et al., "Attention-based bidirectional long short-term memory networks for relation classification," in Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers), 2016, vol. 2, pp. 207-212.